b'March 26, 2003\nAudit Report No. 03-021\n\n\nFDIC Examiner Use of Work Performed by\nIndependent Public Accountants (IPAs)\n\x0c                                         TABLE OF CONTENTS\n\nBACKGROUND ................................................................................................................2\n\n     Statutory Requirements ..............................................................................................3\n        Section 112 of FDICIA and Section 36 of the FDI Act...........................................3\n        Sarbanes-Oxley Act of 2002....................................................................................6\n\n     Independent Public Accountants................................................................................8\n        Role and Standards ..................................................................................................8\n        Limitations of Audits and Audited Financial Statements........................................8\n        Interagency Policy Statement ................................................................................10\n        External Audit Programs .......................................................................................10\n\n     FDIC Examination Policy .........................................................................................11\n       Risk-Focused Examination Process.......................................................................11\n       Review of External Auditor Workpapers ..............................................................12\n       FDIC Case Managers\xe2\x80\x99 Interest in IPA Work.........................................................12\n       Follow-Up Action or Change in Supervisory Strategy..........................................13\n       FDIC as Insurer......................................................................................................14\n\nRESULTS OF AUDIT.....................................................................................................15\nCORPORATION COMMENTS AND OIG EVALUATION......................................15\nACRONYMS ....................................................................................................................16\nGLOSSARY......................................................................................................................17\nAPPENDIX I:                 OBJECTIVE, SCOPE AND METHODOLOY .............................24\nAPPENDIX II:               EXAMINER AND CASE MANAGER\n                           COMPLIANCE WITH FDIC POLICY.........................................26\n                              Workpaper Reviews in Downgraded Institutions .......................26\n                              Review of Part 363 Filings .........................................................27\n                              Followup on Management Letters ..............................................28\n\nAPPENDIX III: Federal Deposit Insurance Act Section 36 \xe2\x80\x93 Early Identification\n              of Needed Improvements in Financial Management for\n              Institutions with More than $500 Million in Total Assets ............30\n\nAPPENDIX IV: CORPORATION COMMENTS.....................................................31\n\nTABLES              Table 1: Part 363 Audit and Reporting Requirements.........................4\n\nFIGURES             Figure 1: Number and Type of External Audit Programs\n                              of FDIC-Supervised State Non-Member Banks ...................11\n\x0cFederal Deposit Insurance Corporation                                                                     Office of Audits\nWashington, D.C. 20434                                                                       Office of Inspector General\n\nDATE:               March 26, 2003\n\nTO:                 Michael J. Zamorski, Director\n                    Division of Supervision and Consumer Protection\n\n\n\n\nSUBJECT:            FDIC Examiner Use of Work Performed by Independent Public Accountants\n                    (IPAs) (Audit Report No. 03-021)\n\nThis report presents the results of an Office of Inspector General (OIG) audit of the Federal\nDeposit Insurance Corporation\'s (FDIC)1 examiner use of work performed by Independent\nPublic Accountants (IPAs) for financial institutions supervised by the FDIC\xe2\x80\x99s Division of\nSupervision and Consumer Protection (DSC).2 The overall objective of this audit was to\nevaluate FDIC examiner use of the work performed by IPAs who are engaged by FDIC-\nsupervised financial institutions.3 In accomplishing this objective, we reviewed:\n\n\xe2\x80\xa2    examination policies and procedures for evaluating the work of IPAs;\n\n\xe2\x80\xa2    resolution of differences between regulators and IPAs on matters affecting the safety and\n     soundness4 of an institution; and\n\n\n\n1\n The Federal Deposit Insurance Corporation\xe2\x80\x99s mission is to maintain the stability of and public confidence in the\nnation\'s financial system. To achieve this goal, the FDIC was created in 1933 to insure deposits and promote safe\nand sound banking practices.\n2\n The FDIC\xe2\x80\x99s Division of Supervision and Consumer Protection, in conjunction with other federal and state\nregulatory agencies, examines financial institutions to ensure they are conducting business in compliance with\nconsumer protection rules and in a way that minimizes risk to their customers and to the deposit insurance funds.\nThere are five categories of examinations: Community Reinvestment Act, Compliance, Information Systems &\nE-banking, Safety & Soundness, and Trust.\n3\n The FDIC supervises more than 5,500 FDIC-insured state-chartered banks that are not members of the Federal\nReserve System, described as state non-member banks. This includes state-licensed insured branches of foreign\nbanks and state-chartered mutual savings banks. As supervisor, the FDIC performs safety and soundness\nexaminations of FDIC-supervised institutions to assess their overall financial condition, management practices and\npolicies, and compliance with applicable laws and regulations. Through the examination process, the FDIC also\nassesses the adequacy of management and internal control systems to identify and control risks. Procedures\nnormally performed in completing this assessment may disclose the presence of fraud or insider abuse.\n4\n  Generally, an unsafe or unsound practice is any action or lack of action that is contrary to generally accepted\nstandards of prudent operation, the possible consequences of which, if continued, would be abnormal risk of loss or\ndamage to an institution, its shareholders, or the agencies administrating the insurance funds.\n\x0c\xe2\x80\xa2   followup on IPA findings and recommendations.\n\nAppendix I of this report discusses our objective, scope, and methodology in more detail.\n\n\nBACKGROUND\n\nAs described in the Interagency Policy Statement on External Auditing Programs of Banks and\nSavings Associations (Interagency Policy Statement), approved by the Federal Financial\nInstitutions Examination Council on August 19, 1999, the boards of directors and senior\nmanagers of insured depository institutions5 are responsible for ensuring that an institution\noperates in a safe and sound manner. To achieve this goal and meet the safety and soundness\nguidelines implementing section 39 of the Federal Deposit Insurance Act (FDI Act), 12 U.S.C.\n1831p-1, the institution should maintain effective systems and internal control to produce\nreliable and accurate financial reports.\n\nAccurate financial reporting is essential to an institution\xe2\x80\x99s safety and soundness for numerous\nreasons. First, accurate financial information enables management to effectively manage the\ninstitution\xe2\x80\x99s risks and make sound business decisions. In addition, FDIC-supervised institutions\nare required by 12 U.S.C. 1817a to provide accurate and timely financial reports (e.g., Reports\nof Condition and Income, also called Call Reports and Thrift Financial Reports)6 to the FDIC.\nThese reports serve an important role in the agency\'s risk-focused supervision7 programs by\ncontributing to examiners\xe2\x80\x99 pre-examination planning, DSC\xe2\x80\x99s off-site monitoring programs,8 and\n\n\n\n5\n The term insured depository institution means any bank or savings association, the deposits of which are insured\nby the FDIC.\n6\n Call Reports from banks and Thrift Financial Reports from savings associations are sworn statements of financial\ncondition that are submitted to the FDIC quarterly in accordance with federal regulatory requirements. They consist\nof a balance sheet, income statement, and other supplemental information and provide detailed analyses of balances\nand related activity.\n7\n  The risk-focused examination process attempts to assess an institution\'s risk by evaluating its processes to identify,\nmeasure, monitor, and control risk. The risk-focused examination process seeks to strike an appropriate balance\nbetween evaluating the condition of an institution at a certain point in time and evaluating the soundness of the\ninstitution\'s processes for managing risk.\n8\n  Bank supervisors use on-site and off-site surveillance to identify banks likely to fail. The most useful tool for\nidentifying problem institutions is on-site examination, in which the examiners travel to a bank and review all\naspects of its safety and soundness. On-site examination is, however, costly to supervisors because of its labor-\nintensive nature and burdensome to bankers because of the intrusion into day-to-day operations. As a result,\nsupervisors also monitor a bank\xe2\x80\x99s condition off-site. Off-site surveillance yields an ongoing picture of a bank\xe2\x80\x99s\ncondition, enabling supervisors to schedule and plan exams efficiently. Off-site surveillance also provides banks\nwith incentives to maintain safety and soundness between on-site visits. The FDIC\xe2\x80\x99s off-site monitoring systems\n(Statistical CAMELS Offsite Rating (SCOR), Real Estate Stress Test (REST), and Quarterly Lending Alert) are\nlargely based on Call Report data.\n\n\n\n                                                           2\n\x0cexaminers\xe2\x80\x99 assessments of an institution\xe2\x80\x99s capital adequacy9 and financial strength. Further,\nreliable financial reports are necessary for the institution to raise capital. They provide data to\nstockholders, depositors and other funds providers, borrowers, and potential investors on the\ncompany\xe2\x80\x99s financial position and results of operations. Such information is critical to effective\nmarket discipline of the financial institution.\n\n\nStatutory Requirements\n\nSection 112 of FDICIA and Section 36 of the FDI Act: The Federal Deposit Insurance\nCorporation Improvement Act (FDICIA) of 1991 added Section 36 to the Federal Deposit\nInsurance Act (FDI Act), codified to 12 U.S.C. 1831m, and Part 363 of the FDIC Rules and\nRegulations, codified to 12 C.F.R. Part 363, implements Section 36 of the FDI Act. FDICIA\ncontained accounting, corporate governance, and regulatory reforms designed to correct\nweaknesses in the deposit insurance system. Among other measures, the FDICIA\xe2\x80\x99s early\nwarning reforms provide for timely disclosure of internal control weaknesses. FDICIA also\nestablished audit and reporting requirements for insured depository institutions with total assets\nof $500 million or more and their independent public accountants. Section 36 of the FDI Act\nprovides additional improvements in financial management reporting. Appendix III shows the\nreforms and key provisions of Section 36 of the Act.\n\nPart 363 states that management of each financial institution covered by this regulation must:\n\n\xe2\x80\xa2   engage an independent public accountant;\n\xe2\x80\xa2   prepare annual financial statements in accordance with generally accepted accounting\n    principles; and\n\xe2\x80\xa2   produce annual management reports.\n\nThese annual management reports, referred to as management\xe2\x80\x99s report or management\xe2\x80\x99s\nassertion, must contain a statement of management\'s responsibilities for preparing the financial\nstatements, establishing and maintaining an internal control structure and procedures for\nfinancial reporting, and complying with laws and regulations relating to loans to insiders and\ndividend restrictions. The reports must also contain an evaluation by management of the\neffectiveness of the internal control structure and procedures for financial reporting, and an\nassessment of the institution\'s compliance with designated laws and regulations.\n\nThe independent public accountant engaged by the institution is responsible for:\n\n\xe2\x80\xa2   auditing and reporting on the institution\'s annual financial statements in accordance with\n    generally accepted auditing standards and\n\n\n9\n  A financial institution is expected to maintain capital commensurate with the nature and extent of risks to the\ninstitution and the ability of management to identify, measure, monitor, and control these risks. Capital adequacy,\nas it relates to quarterly Call Reports, can be evaluated to a limited extent based on certain financial information that\nincludes amounts used in calculations of an institution\'s various regulatory capital amounts.\n\n\n\n                                                           3\n\x0c\xe2\x80\xa2       examining, attesting to, and reporting separately on the assertions of management concerning\n        the institution\'s internal control structure and procedures for financial reporting.\n\nPart 363 requires that insured depository institutions covered by this regulation submit reports\nand notifications to the FDIC. Under Part 363, the board of directors of each insured depository\ninstitution must also establish an independent audit committee. Table 1 summarizes the audit\nand reporting requirements.\n\nTable 1: Part 363 Audit and Reporting Requirements\n    Insured Depository                  Audit Committee                          Reporting\n    Institutions with Assets of:        Requirements                             Requirements\n    Less than $500 million              None a                                   None a\n                                        Committee must consist\n                                        entirely of independent\n    $500 million or more\n                                        outside directors and may be             Annual report, including:\n    up to $3 billion\n                                        satisfied at holding company\n                                        level.                                   \xe2\x80\xa2   Audited financial\n                                        Committee must consist                       statements;\n                                        entirely of independent                  \xe2\x80\xa2 Audit report;\n    $3 billion or more but              outside directors and:                   \xe2\x80\xa2 Management report;\n    less than $5 billion                \xe2\x80\xa2 Include members with                       and\n    \xe2\x80\xa2 Regardless of CAMELS                  banking and related                  \xe2\x80\xa2 Independent public\n        ratings                             financial management                     accountant\'s report\n                                            expertise;                               on the internal controls\n                  and                   \xe2\x80\xa2 Have access to its own                     over financial reporting.\n                                            outside counsel, and                 Requirements may be\n    $5 billion or more with             \xe2\x80\xa2 Not include any large                  satisfied at the holding\n    \xe2\x80\xa2 CAMELS 1 or 2                         customers of the bank.               company level.\n                                        Requirements may be satisfied\n                                        at the holding company level.\n                                                                                 Banks may submit holding\n                                                                                 company audited financial\n                                        Committee requirements same\n    $5 billion or more with                                                      statements and audit report,\n                                        as above, but must be satisfied\n    \xe2\x80\xa2 CAMELS 3, 4, or 5 b                                                        but all other reports listed\n                                        at the bank level.\n                                                                                 above must be prepared at\n                                                                                 bank level.\n    a\n   The banking agencies continue to encourage all institutions, regardless of size, to have annual audits and to\n   establish audit committees comprised of outside directors.\n b\n   The appropriate federal banking agency may require an institution over $9 billion in total assets to report\n   separately under section 36 if its exemption would create a significant risk to the insurance fund.\nSource: FDIC Case Managers Procedures Manual\n\n\n\n\n                                                          4\n\x0cPart 363 requires that insured depository institutions covered by this regulation submit the\nfollowing reports and notifications to the FDIC, the appropriate federal banking agency, and the\nappropriate state bank supervisor.\n\n\xe2\x80\xa2    Within 90 days after fiscal year-end, an annual report must be filed. The annual report must\n     contain audited annual financial statements, the independent public accountant\'s audit report,\n     management\'s statements and assessments, and the independent public accountant\'s\n     attestation concerning the institution\'s internal control structure10 and procedures for\n     financial reporting.\n\n\xe2\x80\xa2    Within 15 days after receipt, the institution must submit any management letter;11 the audit\n     report and any qualification to the audit report;12 and any other report, including attestation\n     reports, from the independent public accountant.\n\n\xe2\x80\xa2    Within 15 days of occurrence, the institution must provide written notice of the engagement\n     of an independent public accountant, the resignation or dismissal of a previously engaged\n     accountant, and the reasons for such an event.\n\nPart 363 also requires certain filings from independent public accountants. The accountants\nmust notify the FDIC and the appropriate federal banking supervisor when it ceases to be the\naccountant for an insured depository institution. The notification must be in writing, be filed\nwithin 15 days after the relationship is terminated, and contain the reasons for the termination.\nThe accountant must also file a peer review report13 with the FDIC within 15 days of receiving\nthe report or before commencing any audit under Part 363.\n\nEach insured depository institution subject to Part 363 must establish an independent audit\ncommittee of its board of directors. The members of this committee must be outside directors\n\n10\n  Internal control is an integral component of an organization\xe2\x80\x99s management that provides reasonable assurance of\nachieving effectiveness and efficiency of operations, reliability of financial reporting, and compliance with\napplicable laws and regulations.\n11\n  Auditors are required to inform the audit committee (or its equivalent) about significant deficiencies in the design\nor operation of the internal control structure that come to their attention in the course of an audit. These are referred\nto as management letters.\n12\n   A qualified opinion states that, except for the effects of the matter to which the qualification relates, the financial\nstatements present fairly, in all material respects, the financial position, results of operations, and cash flows in\nconformity with generally accepted accounting principles (GAAP). For more information on GAAP, see\nfootnote 16.\n13\n  Peer review is the process by which other accountants assess and test compliance with quality control systems for\nthe accounting and auditing practices of SEC Practice Section (SECPS) members. The objectives of peer review are\nto determine whether the reviewed firm: (i) designed its system to meet Quality Control Standards established by\nthe American Institute of Certified Public Accountants (AICPA); (ii) complied with its quality control system to\nprovide reasonable assurance of complying with professional standards; and (iii) complied with SECPS membership\nrequirements. Upon the completion of a review, the peer reviewer prepares a report and a letter of comments, which\nmay recommend improvements to the firm\'s system of compliance.\n\n\n\n                                                            5\n\x0cwho are independent of management. Their duties include overseeing the internal audit\nfunction, selecting the external auditor, and reviewing with management and the external auditor\nthe scope of the audit, audit conclusions, and various management assertions and accountant\nattestations.\n\nPart 363 also establishes additional requirements for audit committees of insured depository\ninstitutions with total assets of more than $3 billion. Two members of the audit committee must\nhave banking or related financial management expertise. Large customers of the institution are\nexcluded from the audit committee. The audit committee must also have access to its own\noutside counsel.\n\nSarbanes-Oxley Act of 2002: President Bush signed the Sarbanes-Oxley Act of 2002,\nP.L. 107-204, into law on July 30, 2002. This Act was in response to high profile accounting\nand financial reporting scandals and has a significant impact on executives, accountants,\nshareholders, and regulators. The Act significantly affects the regulation of accountants;\nimposes new responsibilities and liabilities on chief executive officers (CEO), chief financial\nofficers (CFO), and Boards of Directors; and toughens criminal penalties, in terms of both fines\nand prison sentences, for corporate fraud, destruction of documents, and impeding\ninvestigations. The Act aims to restore investor confidence in the public markets and seeks to\nprevent corporate and accounting fraud. Among other things, the Act:\n\n\xe2\x80\xa2   establishes a new regulatory body to oversee public company auditors;\n\xe2\x80\xa2   redefines the relationship between auditors and their clients;\n\xe2\x80\xa2   places direct responsibility for the audit relationship on audit committees;\n\xe2\x80\xa2   requires certification of periodic reports by CEOs and CFOs;\n\xe2\x80\xa2   bans most loans by public companies to officers and directors;\n\xe2\x80\xa2   restricts certain executive officer and director transactions;\n\xe2\x80\xa2   holds the CEO and CFO responsible for restatements due to misconduct;\n\xe2\x80\xa2   requires reporting of insider stock transactions within two business days;\n\xe2\x80\xa2   imposes new obligations and responsibilities on audit committees;\n\xe2\x80\xa2   imposes new rules of professional responsibility for lawyers and analysts; and\n\xe2\x80\xa2   increases criminal penalties and enforcement measures for securities-related offenses.\n\nThe Act\xe2\x80\x99s provisions become effective at different times, ranging from immediately upon\nenactment to later dates specified in the Act or the date on which the required implementing\nregulations become effective. The Act does not impose requirements with respect to public\ncompanies switching audit firms periodically (though the Act requires that the U.S. Securities\nand Exchange Commission (SEC) study this issue).\n\n\n\n\n                                                6\n\x0cKey provisions within the Sarbanes-Oxley Act that impact registered public accounting firms14\nperforming services required by Part 363 of FDIC\xe2\x80\x99s Rules and Regulations for insured\ndepository institutions include:\n\n\xe2\x80\xa2    Creating a Public Company Accounting Oversight Board to oversee the auditing of public\n     companies. The Board will consist of five members appointed by the SEC and will register\n     public accounting firms as well as establish the standards for audits of public companies. In\n     addition, the Board will conduct inspections, investigations, and disciplinary hearings of\n     public accounting firms, and have the power to impose sanctions on public accounting firms.\n\n\xe2\x80\xa2    Prohibiting public accounting firms from performing specific services for their audit clients,\n     including internal audit services and financial information systems design and\n     implementation. The Act provides that auditors may engage in tax services or other services\n     not specifically excluded if approved in advance by the Audit Committee. The Act requires\n     that all non-audit services15 be pre-approved by the Audit Committee except for de minimus\n     non-audit services. In addition to further approval by the Audit Committee of non-audit\n     services, securities issuers are required to disclose to investors in their periodic reports the\n     nature of such approval. The Act also requires that audit partners or reviewing audit partners\n     cannot serve on the securities issuer\xe2\x80\x99s account for more than 5 years. In addition, a\n     company\xe2\x80\x99s CEO, controller, CFO, chief accounting officer, or equivalent may not have been\n     employed by the company\xe2\x80\x99s auditors or participated in any capacity in the audit of the\n     company during the 1-year period preceding the date of the initiation of the audit.\n\n\xe2\x80\xa2    Under the Act, the Audit Committee must be composed solely of independent directors.\n     Members of the Audit Committee cannot receive any consulting or other fees other than\n     board or committee fees. Audit Committee members cannot be "affiliated persons of the\n     company or a subsidiary." The Act disqualifies for Audit Committee membership a director\n     who owns a controlling interest in the company.\n\n     The Audit Committee, under the Act, is responsible for appointment, compensation, and\n     oversight of the public accounting firm. Significantly, the Audit Committee is now charged\n     with resolving any disagreements between management and the independent accounting\n     firm. The Act requires that the Audit Committee establish a complaints procedure for\n     receipt, retention, and treatment of complaints regarding accounting, internal accounting\n     control or auditing. The Audit Committee is specifically authorized to engage independent\n     counsel and other advisors.\n\n14\n   The term \xe2\x80\x9cregistered public accounting firm\xe2\x80\x9d means a public accounting firm registered with the Public Company\nAccounting Oversight Board in accordance with the Sarbanes-Oxley Act of 2002. The term \xe2\x80\x9cpublic accounting\nfirm\xe2\x80\x9d means a proprietorship, partnership, incorporated association, corporation, limited liability company, limited\nliability partnership, or other legal entity that is engaged in the practice of public accounting or preparing or issuing\naudit reports; and to the extent so designated by the rules of the Board, any associated person of any such entity.\n15\n  Non-audit services, according to the Sarbanes-Oxley Act of 2002, are any professional services provided to a\nsecurities issuer by a registered public accounting firm, other than those provided to an issuer in connection with an\naudit or a review of the financial statements of an issuer.\n\n\n\n                                                            7\n\x0cIndependent Public Accountants\n\nRole and Standards: Financial statements are often audited by an IPA for the purpose of\nopining on the fair presentation of an entity\xe2\x80\x99s financial statements. The IPA\xe2\x80\x99s standard report\nstates that the financial statements present fairly, in all material respects, an entity\xe2\x80\x99s financial\nposition, results of operations, and cash flows in conformity with GAAP.16 This conclusion may\nbe expressed only when the independent accountant has formed such an opinion on the basis of\nan audit performed in accordance with generally accepted auditing standards (GAAS).17 An IPA\nis defined18 as an accountant who is independent of a financial institution and registered or\nlicensed to practice, and holds himself or herself out, as a public accountant, and who is in good\nstanding under the laws of the state or other political subdivision of the United States in which\nthe home office of the institution is located. Prior to the implementation of the Sarbanes-Oxley\nAct of 2002, an IPA had to comply with the AICPA Code of Professional Conduct and any\nrelated guidance.\n\nLimitations of Audits and Audited Financial Statements: According to the Federal Reserve\nBoard\xe2\x80\x99s Commercial Bank Examination Manual, although auditing standards are designed to\nrequire the use of due care and objectivity, a properly designed and executed audit does not\nnecessarily guarantee that all misstatements of amounts or omissions of disclosure in the financial\nstatements have been detected, nor does a properly designed and executed audit guarantee that the\nauditor addressed safety and soundness considerations. The following examples from this\nmanual illustrate some common limitations of audits:\n\n\xe2\x80\xa2    The auditor is not responsible for deciding whether an institution operates wisely. An\n     unqualified audit report means that the institution reports transactions and balances in\n     accordance with GAAP. It does not mean that the transactions make business sense, the\n     associated risks are managed in a safe and sound manner, or balances can be recovered upon\n     disposition or liquidation.\n\n\xe2\x80\xa2    The auditor\xe2\x80\x99s report concerning financial statements does not signify that underwriting\n\n16\n   Generally Accepted Accounting Principles (GAAP) is the body of principles governing the accounting for\nfinancial transactions and preparation of financial statements. GAAP is derived from guidance issued by the\nFinancial Accounting Standards Board (FASB) and the AICPA in the form of Accounting Research Bulletins\n(ARB), Accounting Principles Board (APB) Opinions, FASB Statements of Financial Accounting Standards\n(SFAS), and FASB Statements of Financial Accounting Concepts (SFAC).\n17\n   Generally Accepted Auditing Standards (GAAS) are policies, guidelines, and procedures set forth by the AICPA\nthat an auditor is required to follow in performing an audit in order to render an opinion on an organization\'s\nfinancial statements.\n18\n  Enactment of the Sarbanes-Oxley Act of 2002, changed the term used to describe accountants in the SEC Act of\n1934. Section 10A of the Securities Exchange Act of 1934 (15 U.S.C. 78j-1) was amended by the Sarbanes-Oxley\nAct of 2002 by striking \xe2\x80\x9can independent public accountant\xe2\x80\x9d each place that term appears and inserting \xe2\x80\x9ca registered\npublic accounting firm.\xe2\x80\x9d\n\n\n\n                                                         8\n\x0c     standards, operating strategies, loan-monitoring systems, and workout procedures are\n     adequate to mitigate losses if the environment changes. The auditor\xe2\x80\x99s report that financial\n     statements present fairly the bank\xe2\x80\x99s financial position is based upon the prevailing evidence\n     and current environment, and indicates that reported assets can be recovered in the normal\n     course of business. In determining that reported assets can be recovered in the normal course\n     of business, the auditor attempts to understand financial-reporting internal controls and can\n     substitute other audit procedures when these controls are weak or nonexistent.\n\n\xe2\x80\xa2    The quality of management and how it manages risk are not considered in determining\n     historical cost and its recoverability. Although certain assets and instruments are marked to\n     market19 (for example, trading accounts), GAAP generally uses historical cost as the basis of\n     presentation. Historical cost assumes that the entity is a going concern. The going-concern\n     concept allows certain marked-to-market losses to be deferred because management believes\n     the cost basis can be recovered during the remaining life of the asset.\n\n\xe2\x80\xa2    GAAP financial statements offer only limited disclosures of risks and uncertainties, and\n     other safety and soundness factors on which an institution\xe2\x80\x99s viability depends.\n\n\xe2\x80\xa2    For purposes of determining the level of loan-loss reserves, GAAP does not consider losses\n     that are \xe2\x80\x98\xe2\x80\x98more likely than not,\xe2\x80\x99\xe2\x80\x99 \xe2\x80\x98\xe2\x80\x98reasonably possible,\xe2\x80\x99\xe2\x80\x99 or \xe2\x80\x98\xe2\x80\x98likely\xe2\x80\x99\xe2\x80\x99 to occur in future\n     periods. Under GAAP, loan-loss reserves are only provided for \xe2\x80\x98\xe2\x80\x98probable losses\xe2\x80\x99\xe2\x80\x99 and for\n     losses currently \xe2\x80\x98\xe2\x80\x98inherent\xe2\x80\x99\xe2\x80\x99 (that is, anticipated future charge-offs based on current\n     repayment characteristics) in the portfolio.\n\n\n\n\n19\n  According to FDIC Regional Directors Memorandum 98-059, issued July 9, 1998, New Examination Guidance\nand Procedures for Securities and Derivatives Activities, the term \xe2\x80\x9cmarked-to-market\xe2\x80\x9d is the valuation of a security,\nsuch as a bond, share, or futures contract, according to current market prices. These instruments are marked-to-\nmarket at the end of each trading day, or on an intra-day basis, by the exchange clearinghouse. Position value\nchanges are settled on a cash basis at least daily.\n\n\n\n\n                                                          9\n\x0cInteragency Policy Statement: Before August 1999, the FDIC and the other bank regulatory\nagencies that are members of the Federal Financial Institutions Examination Council (FFIEC)20\ngenerally believed that an independent external audit provided reasonable assurance that an\ninstitution\xe2\x80\x99s financial statements were prepared in accordance with GAAP. The independent\naudit process also subjected the internal controls and the accounting policies, procedures, and\nrecords of each banking organization to periodic review. Accordingly, the banking agencies\nrecommended that every institution have an external auditing program to help ensure accurate\nand reliable financial reporting.21\n\nExternal Audit Programs: On August 19, 1999, the FFIEC approved and recommended the\nInteragency Policy Statement on External Auditing Programs of Banks and Savings Associations\nwhich was subsequently approved and became effective for fiscal years beginning on or after\nJanuary 1, 2000.22\n\nThe Interagency Policy Statement states that to help ensure accurate and reliable financial\nreporting, the FFIEC agencies recommend that the board of directors of each institution establish\nand maintain an external auditing program. Although many insured depository institutions with\ntotal assets below a $500 million threshold are not subject to the requirements of Section 36 of\nthe FDI Act, the Interagency Policy Statement encourages these institutions to adopt its\nguidance.\n\nThe Interagency Policy Statement also states that an external auditing program should be an\nimportant component of an institution\'s overall risk management process. For example, an\nexternal auditing program complements the internal auditing function of an institution by\nproviding management and the board of directors with an independent and objective view of the\nreliability of the institution\'s financial statements and the adequacy of its control over financial\nreporting. Additionally, an effective external auditing program contributes to the efficiency of\nthe agencies\' risk-focused examination process. By considering the significant risk areas of an\ninstitution, an effective external auditing program may reduce the examination time the agencies\nspend in such areas. Moreover, it can improve the safety and soundness of an institution\nsubstantially and lessen the risk that the institution poses to the insurance funds administered by\nthe FDIC.\n\n\nThe federal banking agencies view a full-scope annual audit of a bank\xe2\x80\x99s financial statements by\n\n20\n  The Federal Financial Institutions Examination Council (FFIEC), is comprised of the Board of Governors of the\nFederal Reserve System (FRB), the FDIC, the National Credit Union Administration (NCUA), the Office of the\nComptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).\n21\n  The FDIC first adopted guidance on external auditing programs in its Policy Statement Regarding Independent\nExternal Auditing Programs of State Nonmember Banks in 1988 (53 FR 47871, November 28, 1988). In 1996, the\nFDIC reviewed the Current Policy Statement pursuant to section 303(a) of the Riegle Community Development and\nRegulatory Improvement Act of 1994 and adopted several amendments to eliminate inconsistencies and outdated\nrequirements (61 FR 32438, June 24, 1996).\n22\n     The NCUA, also a member of the FFIEC, did not adopt the policy at that time.\n\n\n\n                                                         10\n\x0can independent public accountant as preferable to other types of external auditing programs. The\nInteragency Policy Statement adopted by the regulatory agencies on or after January 2000\nrecognizes that a full-scope audit may not be feasible for every small bank. It therefore\nencourages those banks to pursue appropriate alternatives to a full-scope audit in cases where a\nfull scope audit is not performed. These alternatives, which must be performed by an\nindependent public accountant, are (1) an attestation on internal control over financial reporting\non certain schedules of the Reports of Condition and Income (Call Report) or (2) an audit of the\ninstitution\'s balance sheet. The Interagency Policy Statement further indicates that, for a smaller\ninstitution with less complex operations, the attestation on internal control\nmay be less costly than an audit         Figure 1: Number and Type of External Audit Programs\nof its financial statements or its                of FDIC-Supervised State Non-Member Banks\nbalance sheet and may provide more\nuseful information to                       3,500\nmanagement. Small banks are                   Number of Institutions\n                                            3,000                         Banks with total assets\nalso encouraged to establish an                       323                 of $500 million or more\naudit committee consisting of               2,500\n                                                                          Banks with total assets\noutside directors.                          2,000                         less than $500 million\n\n                                                                       1,500\nEach year\'s March 31 Call                                                            2,683\nReport requires an institution to                                      1,000\n                                                                                                                  1,483\nreport the type of its external                                         500\nauditing program for the prior                                                                        103\n                                                                                                                             336\n                                                                          0\nyear. Figure 1 shows the type                                                       Financial      Attestation   Balance     No\nof external auditing program                                                        Statement                     Sheet    External\n                                                                                      Audit                       Audit     Audit\nand number of FDIC-\nsupervised banks reporting.23                                                                   Type of External Audit\n                                               Source: FDIC, DSC Policy Branch - Accounting Section.\n\nFDIC Examination Policy\n\nRisk-Focused Examination Process: On October 1, 1997, the FDIC, in conjunction with the\nFederal Reserve and the Conference of State Bank Supervisors, began implementing a new\nrisk-focused examination process designed to focus bank examinations on bank functions that\npose the greatest risk exposure. This new examination process represents a change from the\ntraditional approach, with its heavy emphasis on predetermined tasks and a review of large\nsamples of loans.\n\nThe risk-focused examination process attempts to assess an institution\xe2\x80\x99s risk by evaluating its\nprocesses to identify, measure, monitor, and control risk. If management controls are properly\ndesigned and effectively applied, they should help ensure that satisfactory performance is\nachieved. In a rapidly changing environment, a bank\xe2\x80\x99s condition at any given point in time may\nnot be indicative of its future performance. The risk-focused examination process seeks to strike\nan appropriate balance between evaluating the condition of an institution at a certain point in\n23\n  Figure 1 includes only FDIC-supervised state non-member banks as of December 31, 2001. It does not include\n574 other FDIC-supervised institutions, such as state-chartered savings banks and U.S. branches of foreign banks.\n\n\n\n                                                                               11\n\x0ctime and evaluating the soundness of the institution\xe2\x80\x99s processes for managing risk. Moreover,\nthe risk-focused approach attempts to involve less regulatory burden by focusing on testing,\nrather than duplicating, the work of audit and control functions. Based on the institution\xe2\x80\x99s size,\ncomplexity, and risk profile, an examiner can choose to test, evaluate, and accept the results\nfrom such controls as internal and external audits, loan policy, loan review, and loan grading\nsystems.\n\nReview of External Auditor Workpapers: When an institution has an external auditing\nprogram, examiners should be able to review the auditors\xe2\x80\x99 workpapers as appropriate. Under\n\xc2\xa7 36(g)(3)(A)(i) of the FDI Act, the audit services for institutions covered by Part 363 must be\nperformed by an accountant who has agreed to provide examiners with access to the audit\nworkpapers and the accountant\xe2\x80\x99s policies and procedures, if requested. If holding company\nfinancial statements or a holding company attestation report on internal control over financial\nreporting has been submitted to the FDIC on behalf of a subsidiary institution that is subject to\nPart 363, the examiner of the subsidiary institution may examine the workpapers of the holding\ncompany audit or attestation.\n\nThrough the auditors\xe2\x80\x99 workpapers, the examiner can review the external auditor\xe2\x80\x99s evaluation of\ninternal controls, assessment of audit risk in the institution (including risk of material\nmisstatement of the financial statements due to fraud), significant account balances and\ntransactions, and other audit areas pertinent to the examination. A workpaper review is\nrecommended in those circumstances where it will provide the examiner a better understanding\nof one or more areas of the bank\xe2\x80\x99s operations and the bases for some of the auditor\xe2\x80\x99s evaluations\nin those areas. Thus, a review can be another source of information about the bank\xe2\x80\x99s internal\ncontrol and financial reporting practices and about the work that the auditor has performed in\nspecific audit areas of the bank\xe2\x80\x99s operations or activities. The review may help determine the\nscope of the examination procedures that should be carried out. The review can identify those\nareas where the independent public accountant performed audit work sufficient to enable the\nexaminers to limit their procedures, and those areas of higher risk for which examination\nprocedures should be expanded. However, the sufficiency and appropriateness of the external\nauditor\xe2\x80\x99s procedures may be different from the procedures the examiner would perform during\nan examination. Reviewing audit workpapers may also acquaint an examiner assigned to an\ninstitution for the first time with what the auditor considers to be significant audit and internal\ncontrol risks in that institution.\n\nFDIC Case Managers\xe2\x80\x99 Interest in IPA Work: The primary goal of the case manager program\nis to significantly enhance risk assessment and supervision activities by assigning responsibility\nand accountability for a caseload of institutions or companies to one individual, regardless of\ncharter and location, and by encouraging a more proactive, but non-intrusive, coordinated\nsupervisory approach. Case managers are involved in efforts designed to meet the FDIC\'s offsite\nmonitoring and analysis goals as they relate to the assessment of risk to the deposit insurance\nfunds, as well as the financial condition of the individual institutions within their caseloads. In\nthat regard, they will analyze financial and other information filed or reported in accordance with\nregulatory requirements, as well as information from other sources. Case managers\ncommunicate and coordinate with regional specialists on substantive issues regarding institutions\nwithin their caseloads to ensure that risks presented by certain specialty areas, such as\n\n\n                                                12\n\x0caccounting, are identified and quantified, and to ensure that proper supervisory action is taken to\nminimize risk to the deposit insurance funds.\n\nThe case manager is responsible for review of annual Part 363 filings from covered and\nassociated institutions in their caseloads. Case managers review an institution\'s annual Part 363\nfiling to ensure that it includes all of the required documents. In reviewing an institution\'s\nannual Part 363 filing, the case manager is responsible for obtaining the annual Part 363 filing\nand worksheet for the prior year to see if there were any issues noted. Finally, the case manager\nreviews the current year\xe2\x80\x99s filing and completes the appropriate worksheet. The review concludes\nwith the need to make a determination as to whether a change in supervisory strategy or follow-\nup action is needed. A worksheet is used to record the review of the annual Part 363 filing and is\nknown as a Part 363 Annual Report Worksheet.\n\nIf an institution has been assigned a composite CAMELS24 rating of 4 or 5 or its annual report\nreveals significant concerns about matters that would have fallen within the scope of the work\nperformed by the bank\'s external auditors, the case manager consults with the regional\naccountant. Together they determine when a review of the workpapers of the independent public\naccountant performing the external audit of the institution for the previous year will be\nperformed.\n\nAnother worksheet known as a Periodic Reports Worksheet is used to document the review of\nany other reports submitted by either the financial institution or the public accountant. These\nreports include, but are not limited to: any management letter issued by the IPA; written notice\nof the engagement, resignation or dismissal of an IPA by an institution and the reasons for such\nan event; or, written notice from the IPA that it has ceased to be the accountant for an institution\nand the reasons for the termination.\n\nSome institutions also submit a management letter with the annual report documents. The\nmanagement letter is addressed to the board or audit committee. It details internal control\nweaknesses that were not considered reportable conditions or sufficiently material to include in\nthe audit report. If a management letter has been submitted, the case manager should review the\nsubmission and complete a Part 363 Periodic Report Worksheet. The review should conclude\nwith a determination as to whether a change in supervisory strategy, follow-up action, or review\nof the auditor\'s workpapers are needed.\n\nFollow-Up Action or Change in Supervisory Strategy: If it is determined that follow-up\naction or a change in supervisory strategy is warranted for a state non-member bank, case\n24\n   Financial institution regulators use the Uniform Financial Institutions Rating System to evaluate a bank\'s\nperformance. Six areas of performance are evaluated and given a numerical rating of "1" through "5," with "1"\nrepresenting the least degree of concern and "5" the greatest degree of concern. The six performance areas identified\nby the CAMELS acronym are: Capital adequacy, Asset quality, Management practices, Earnings performance,\nLiquidity position, and Sensitivity to market risk. A composite CAMELS rating is an overall rating given to a bank\nbased on the six components of the CAMELS rating. A rating of "1" through "5" is given. A rating of "1" indicates\nstrong performance; "2" reflects satisfactory performance; "3" represents below-average performance; "4" refers to\nmarginal performance that could threaten the viability of the institution; and, "5" is considered critical,\nunsatisfactory performance that threatens the viability of the institution.\n\n\n\n                                                         13\n\x0cmanagers should discuss the concerns with the field office supervisor, determine the appropriate\nsupervisory strategy to address these concerns, and prepare a memorandum outlining the\nrecommended course of action. Thus, a case manager\'s primary interest in an IPA\'s work is\nfocused on the FDIC\'s role as a supervisor and an insurer.\n\nIf, in the case manager\'s judgment, an IPA product contains negative information that may be\nsevere enough to warrant concern over the safety and soundness of the institution, the case\nmanager should discuss the concerns with the field office supervisor. Together they should\ndetermine the appropriate supervisory strategy to address these concerns and prepare a\nmemorandum outlining the recommended course of action.\n\nFDIC as Insurer: As insurer, the FDIC continually evaluates how changes in the economy,\nfinancial markets, banking system, and individual financial institutions affect the adequacy and\nviability of the deposit insurance funds. To protect the insurance funds, the FDIC identifies risks\nby analyzing economic, financial, and banking trends, as well as IPA work products, and\ncommunicates these findings to the industry and the other federal banking agencies and state\nauthorities. As the insurer, the FDIC, by statute, has special insurance authority for all insured\ndepository institutions. Should the FDIC identify significant emerging risks or have serious\nconcerns raised in IPA work about any insured depository institution not primarily supervised by\nthe FDIC, the FDIC and the institution\'s primary federal supervisor25 work together to address\nthem.\n\nAs a supervisor, the FDIC is the primary federal banking regulator of all state non-member\nbanks. In that regard, the FDIC performs safety and soundness examinations, visitations, and\ninvestigations of FDIC-supervised institutions to assess their overall financial condition,\nmanagement practices and policies, and compliance with applicable laws and regulations.\nThrough the examination process, the FDIC also assesses the adequacy of management and\ninternal control systems to identify and control risks. An IPA\'s work may complement an\ninstitution\'s internal audit function by providing another independent and objective view of the\nreliability of the institution\'s financial statements and the adequacy of its financial reporting\ninternal controls. Procedures normally performed in completing this assessment may disclose\nthe presence of fraud or insider abuse.\n\n\n\n\n25\n  The institution\xe2\x80\x99s charter determines which federal banking agency is the \xe2\x80\x9cprimary federal supervisor\xe2\x80\x9d of the\nparticular institution.\n\n\n                                                        14\n\x0cRESULTS OF AUDIT\n\nFDIC examiners made reasonable use of the work performed by IPAs. For those institutions\nwith CAMELS ratings of 1, 2, or 3, FDIC examiners and case managers considered IPA reports,\nmanagement letters, and other available documentation in conjunction with their safety and\nsoundness examinations and in devising the overall supervisory strategy. FDIC examiners\nexpanded their examination testing and review when an IPA uncovered or reported irregularities\nor problems in an area and the examiners followed up on the institution\xe2\x80\x99s corrective actions.\nExaminers also effectively resolved differences with IPAs. In addition to the above, for poorly\nrated institutions \xe2\x80\x93 those with CAMELS ratings of 4 or 5 \xe2\x80\x93 examiners reviewed the IPA\xe2\x80\x99s\nworkpapers, thoroughly documenting their review. FDIC examiners reviewed IPA workpapers\nto gain an understanding of the IPA\'s scope and results of work performed including, for\nexample, in the areas of internal control, the risk of material misstatement due to fraud, or asset\nvaluation concerns.\n\nIn general, the FDIC has established sound examination policies and procedures for evaluating\nthe effectiveness of a financial institution\xe2\x80\x99s external audit program. While the FDIC\xe2\x80\x99s risk-\nfocused examination policy, as stated in Regional Directors Memorandums 1998-100, dated\nDecember 16, 1998 and 1999-011, dated March 23, 1999, could be interpreted to require testing\nof IPA work in order to reduce the scope of examinations, such testing would only be possible\nby reviewing the IPA\xe2\x80\x99s workpapers. However, we do not consider routinely reviewing the IPA\xe2\x80\x99s\nworkpapers to be necessary or practical for all examinations of better-rated institutions. The\nFDIC\xe2\x80\x99s approach of deciding on a case-by-case basis whether to review the work of IPAs on\nexaminations of\nbetter-rated institutions provides appropriate balance between risk and use of examination\nresources.\n\nAppendix II discusses the detailed results of our audit, including three instances of\nnoncompliance with FDIC policy and procedures. These were deemed insignificant.\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn March 20, 2003, the Director, DSC, provided a written response to the draft report, although\nthe report did not contain recommendations. The response is presented in Appendix IV of this\nreport. The Director of DSC stated the Division would continue to be proactive in addressing\ntheir evaluations of external audit activity through their own efforts and through interagency\ninitiatives.\n\n\n\n\n                                                15\n\x0c                                          ACRONYMS\n\n\nAICPA      American Institute of Certified Public Accountants\n\nCAMELS Ratings for Capital adequacy, Asset quality, Management practices, Earnings\n       performance, Liquidity position, and Sensitivity to market risk.\n\nCEO        Chief Executive Officer\n\nCFO        Chief Financial Officer\n\nDSC        Division of Supervision and Consumer Protection (formerly the Division of\n           Supervision)\n\nFDI Act    Federal Deposit Insurance Act\n\nFDIC       Federal Deposit Insurance Corporation\n\nFDICIA     Federal Deposit Insurance Corporation Improvement Act of 1991\n\nFFIEC      Federal Financial Institutions Examination Council\n\nFRB        Federal Reserve Board (Board of Governors of the Federal Reserve System)\n\nGAAP       Generally Accepted Accounting Principles\n\nGAAS       Generally Accepted Auditing Standards\n\nIPA        Independent Public Accountant\n\nNCUA       National Credit Union Association\n\nOCC        Office of the Comptroller of the Currency\n\nOIG        Office of Inspector General\n\nOTS        Office of Thrift Supervision\n\nSEC        U.S. Securities and Exchange Commission\n\nTFR        Thrift Financial Report\n\n\n\n\n                                               16\n\x0c                                   GLOSSARY\n\n           Term                                        Definition\n\n                          Call Reports from banks and Thrift Financial Reports from savings\n                          associations are sworn statements of financial condition that are\nCall Report or            submitted to FDIC quarterly in accordance with federal regulatory\nThrift Financial Report   requirements. They consist of a balance sheet, income statement,\n                          and other supplemental information and provide detailed analyses of\n                          balances and related activity.\n\n\n                          Financial institution regulators use the Uniform Financial\n                          Institutions Rating System (UFIRS) to evaluate a bank\'s\n                          performance. Six areas of performance are evaluated and given a\n                          numerical rating of 1 through 5, with 1 representing the least degree\n                          of concern and 5 the greatest degree of concern. The six performance\n                          areas identified by the CAMELS acronym are\n\n                          \xe2\x80\xa2   Capital adequacy,\n                          \xe2\x80\xa2   Asset quality,\n                          \xe2\x80\xa2   Management practices,\nCAMELS Rating and\n                          \xe2\x80\xa2   Earnings performance,\nComposite CAMELS Rating\n                          \xe2\x80\xa2   Liquidity position, and\n                          \xe2\x80\xa2   Sensitivity to market risk.\n\n                          A composite CAMELS rating is an overall rating given to a bank\n                          based on the six components of the CAMELS rating. A rating of 1\n                          through 5 is given. A rating of 1 indicates strong performance; 2\n                          reflects satisfactory performance; 3 represents below average\n                          performance; 4 refers to marginal performance that could threaten\n                          the viability of the institution; and 5 is considered critical,\n                          unsatisfactory performance that threatens the viability of the\n                          institution.\n\n\n\n\n                                           17\n\x0c                                        GLOSSARY\n\n           Term                                             Definition\n\n                              A financial institution is expected to maintain capital commensurate\n                              with the nature and extent of risks to the institution and the ability of\n                              management to identify, measure, monitor, and control these risks.\n                              Capital adequacy, as it relates to quarterly Call Reports, can be evaluated\n                              to a limited extent based on certain financial information that includes\n                              amounts used in calculations of an institution\'s various regulatory capital\nCapital Adequacy\n                              amounts.\n\n                              Part 325 of the FDIC Rules and Regulations, 12 C.F.R. \xc2\xa7325.101, et.\n                              seq, implements section 38 of the FDI Act, 12 U.S.C. \xc2\xa71831(o), by\n                              establishing a framework for taking prompt supervisory actions against\n                              insured non-member banks that are not adequately capitalized.\n\n\n                              Effective July 1, 2002, the FDIC\xe2\x80\x99s Division of Supervision and the\n                              Division of Compliance and Consumer Affairs were merged to form\n                              the new Division of Supervision and Consumer Protection (DSC).\n                              The DSC promotes the safety and soundness of FDIC-supervised\n                              institutions, protects consumers\xe2\x80\x99 rights, and promotes community\n                              investment initiatives by FDIC-supervised insured depository\n                              institutions.\n\nDivision of Supervision and   The mission of FDIC\xe2\x80\x99s Division of Supervision and Consumer\nConsumer Protection (DSC)     Protection (DSC) is to promote stability and public confidence in the\n                              nation\'s financial system by:\n\n                              \xe2\x80\xa2   examining and supervising insured financial institutions to\n                                  ensure they operate in a safe and sound manner, consumers\'\n                                  rights are protected, and FDIC-supervised institutions invest in\n                                  their communities, and\n                              \xe2\x80\xa2   providing timely and accurate deposit insurance information to\n                                  financial institutions and the public.\n\n\n                              The FDIC, in conjunction with other federal and state regulatory\n                              agencies, examines financial institutions to ensure they are conducting\n                              business in compliance with consumer protection rules and in a way that\nExamination Function          minimizes risk to their customers and to the deposit insurance funds.\n                              There are five categories of examinations: Community Reinvestment\n                              Act, Compliance, Information Systems & E-banking, Safety &\n                              Soundness, and Trust.\n\n\n\n\n                                                18\n\x0c                                      GLOSSARY\n\n           Term                                          Definition\n\n                            The FDIC\xe2\x80\x99s Supervision Program promotes the safety and soundness\n                            of FDIC-supervised institutions, protects consumers\xe2\x80\x99 rights, and\n                            promotes community investment initiatives by FDIC-supervised\n                            insured depository institutions.\n\n                            As supervisor, the FDIC performs safety and soundness\n                            examinations of FDIC-supervised institutions to assess their overall\n                            financial condition, management practices and policies, and\n                            compliance with applicable laws and regulations. Through the\n                            examination process, the FDIC also assesses the adequacy of\n                            management and internal control systems to identify and control\n                            risks. Procedures normally performed in completing this assessment\nFDIC Supervision Program    may disclose the presence of fraud or insider abuse.\n\n                            The FDIC supervises FDIC-insured state-chartered banks that are\n                            not members of the Federal Reserve System, described as state\n                            non-member banks. This includes state-licensed insured branches of\n                            foreign banks and state-chartered mutual savings banks. The FDIC\n                            also has examination authority and special insurance activity\n                            authority for state member banks that are supervised by the Board of\n                            Governors of the Federal Reserve System (FRB), national banks that\n                            are supervised by the Office of the Comptroller of the Currency\n                            (OCC), and savings associations that are supervised by the Office of\n                            Thrift Supervision (OTS). This authority is exercised in the FDIC\xe2\x80\x99s\n                            role as insurer of those institutions.\n\n\n                            The Federal Deposit Insurance Corporation\xe2\x80\x99s mission is to maintain the\nFederal Deposit Insurance   stability of and public confidence in the nation\'s financial system. To\nCorporation (FDIC)          achieve this goal, the FDIC was created in 1933 to insure deposits and\n                            promote safe and sound banking practices.\n\n\n                            The Federal Financial Institutions Examination Council (FFIEC) is a\n                            formal interagency body empowered to prescribe uniform principles,\n                            standards, and report forms for the federal examination of financial\nFederal Financial\n                            institutions by the FRB, FDIC, the National Credit Union\nInstitutions Examination\n                            Administration (NCUA), OCC, and OTS and to make\nCouncil (FFIEC)\n                            recommendations to promote uniformity in the supervision of\n                            financial institutions.\n\n\n\n\n                                             19\n\x0c                                        GLOSSARY\n\n           Term                                             Definition\n\n                              Generally Accepted Accounting Principles (GAAP) is the body of\n                              principles governing the accounting for financial transactions and\n                              preparation of financial statements. GAAP is derived from guidance\nGenerally Accepted\n                              issued by the Financial Accounting Standards Board and the\nAccounting Principles\n                              American Institute of Certified Public Accountants in the form of\n(GAAP)\n                              Accounting Research Bulletins, Accounting Principles Board\n                              Opinions, FASB Statements of Financial Accounting Standards, and\n                              FASB Statements of Financial Accounting Concepts.\n\n\n                              Generally Accepted Auditing Standards (GAAS) are policies,\nGenerally Accepted Auditing   guidelines, and procedures set forth by the AICPA that an auditor is\nStandards (GAAS)              required to follow in performing an audit in order to render an\n                              opinion on an organization\'s financial statements.\n\n\nInsured Depository            The term insured depository institution means any bank or savings\nInstitution                   association, the deposits of which are insured by the FDIC.\n\n\n                              Internal control is an integral component of an organization\xe2\x80\x99s\n                              management that provides reasonable assurance of achieving\nInternal Control\n                              effectiveness and efficiency of operations, reliability of financial\n                              reporting, and compliance with applicable laws and regulations.\n\n\n                              Auditors are required to inform the audit committee (or its\n                              equivalent) about significant deficiencies in the design or operation\nManagement Letters\n                              of the internal control structure that come to their attention in the\n                              course of an audit. These are referred to as management letters.\n\n\n                              According to FDIC Regional Directors Memorandum 98-059, issued\n                              July 9, 1998, New Examination Guidance and Procedures for\n                              Securities and Derivatives Activities, the term \xe2\x80\x9cmarked-to-market\xe2\x80\x9d is\n                              the valuation of a security, such as a bond, share, or futures contract,\nMarked-to-Market\n                              according to current market prices. These instruments are marked-\n                              to-market at the end of each trading day, or on an intra-day basis, by\n                              the exchange clearinghouse. Position value changes are settled on a\n                              cash basis at least daily.\n\n\n\n\n                                               20\n\x0c                                  GLOSSARY\n\n           Term                                      Definition\n\n                        Non-audit services, according to the Sarbanes-Oxley Act of 2002,\n                        are any professional services provided to a securities issuer by a\nNon-Audit Services      registered public accounting firm, other than those provided to an\n                        issuer in connection with an audit or a review of the financial\n                        statements of an issuer.\n\n\n                        Bank supervisors use on-site and off-site surveillance to identify\n                        banks likely to fail. The most useful tool for identifying problem\n                        institutions is on-site examination, in which the examiners travel to a\n                        bank and review all aspects of its safety and soundness. On-site\n                        examination is, however, both costly and burdensome to supervisors\n                        because of its labor-intensive nature and burdensome to bankers\n                        because of the intrusion into day-to-day operations. As a result,\nOn-Site and             supervisors also monitor a bank\xe2\x80\x99s condition off-site.\nOff-Site Surveillance\n                        Off-site surveillance yields an ongoing picture of a bank\xe2\x80\x99s condition,\n                        enabling supervisors to schedule and plan exams efficiently. Off-site\n                        surveillance also provides banks with incentives to maintain safety\n                        and soundness between on-site visits. The FDIC\xe2\x80\x99s off-site\n                        monitoring systems (Statistical CAMELS Offsite Rating, Real Estate\n                        Stress Test, and Quarterly Lending Alert) are largely based on Call\n                        Report data.\n\n\n                        Peer review is the process by which other accountants assess and test\n                        compliance with quality control systems for the accounting and\n                        auditing practices of U.S. Securities and Exchange Commission\n                        (SEC) Practice Section (SECPS) members. The objectives of peer\n                        review are to determine whether the reviewed firm: (1) designed its\nPeer Review and         system to meet Quality Control Standards established by the\nPeer Review Report      American Institute of Certified Public Accountants; (2) complied\n                        with its quality control system to provide reasonable assurance of\n                        complying with professional standards; and (3) complied with\n                        SECPS membership requirements. Upon the completion of a review,\n                        the peer reviewer prepares a report and a letter of comments, which\n                        may recommend improvements to the firm\'s system of compliance.\n\n\n\n\n                                         21\n\x0c                                      GLOSSARY\n\n           Term                                           Definition\n\n                            The institution\xe2\x80\x99s charter determines which federal banking agency is\n                            the \xe2\x80\x9cprimary federal regulator\xe2\x80\x9d of the particular institution. There\n                            are four federal regulators of banks and savings and loan institutions:\n\n                            \xe2\x80\xa2   Federal Deposit Insurance Corporation (FDIC) - Primary federal\n                                regulator responsible for state-chartered banks not members of\n                                the Federal Reserve System and state chartered savings banks.\n                            \xe2\x80\xa2   Federal Reserve Board (FRB) - Primary federal regulator\nPrimary Federal Regulator       responsible for state-chartered commercial bank members of the\n                                Federal Reserve System.\n                            \xe2\x80\xa2   Office of the Comptroller of the Currency (OCC) - Primary\n                                federal regulator responsible for nationally chartered commercial\n                                banks.\n                            \xe2\x80\xa2   Office of Thrift Supervision (OTS) - Primary federal regulator\n                                responsible for federally chartered savings and loan associations,\n                                federal savings banks, and state-chartered savings and loan\n                                associations.\n\n\n                            A qualified opinion states that, except for the effects of the matter to\n                            which the qualification relates, the financial statements present\nQualified Opinion           fairly, in all material respects, the financial position, results of\n                            operations, and cash flows in conformity with generally accepted\n                            accounting principles.\n\n\n                            The term \xe2\x80\x9cregistered public accounting firm\xe2\x80\x9d means a public\n                            accounting firm registered with the Public Company Accounting\n                            Oversight Board in accordance with the Sarbanes-Oxley Act of\n                            2002. The term \xe2\x80\x9cpublic accounting firm\xe2\x80\x9d means a proprietorship,\n                            partnership, incorporated association, corporation, limited liability\n                            company, limited liability partnership, or other legal entity that is\n                            engaged in the practice of public accounting or preparing or issuing\nRegistered Public           audit reports; and to the extent so designated by the rules of the\nAccounting Firm             Board, any associated person of any such entity.\n\n                            Enactment of the Sarbanes-Oxley Act of 2002, changed the term\n                            used to describe accountants in the Securities Exchange Act of 1934.\n                            Section 10A of the Securities Exchange Act of 1934\n                            (15 U.S.C. 78j-1) was amended by the Sarbanes-Oxley Act of 2002\n                            by striking \xe2\x80\x9can independent public accountant\xe2\x80\x9d each place that term\n                            appears and inserting \xe2\x80\x9ca registered public accounting firm.\xe2\x80\x9d\n\n\n\n\n                                             22\n\x0c                                         GLOSSARY\n\n            Term                                             Definition\n\n                               The risk-focused examination process attempts to assess an\n                               institution\'s risk by evaluating its processes to identify, measure,\nRisk-Focused Examination       monitor, and control risk. The risk-focused examination process\nProcess                        seeks to strike an appropriate balance between evaluating the\n                               condition of an institution at a certain point in time and evaluating\n                               the soundness of the institution\'s processes for managing risk.\n\n\n                               These periodic, on-premise examinations help assess an institution\'s\n                               financial condition, policies and procedures, and adherence to laws\nSafety and Soundness\n                               and regulations. These examinations are a vital tool in protecting the\nExaminations\n                               financial integrity of the deposit insurance funds and promoting the\n                               public confidence in the banking system and individual banks.\n\n\n                               Call Reports from banks and Thrift Financial Reports from savings\n                               associations are sworn statements of financial condition that are\nThrift Financial Reports and   submitted to the FDIC quarterly in accordance with federal\nCall Reports                   regulatory requirements. They consist of a balance sheet, income\n                               statement, and other supplemental information and provide detailed\n                               analyses of balances and related activity.\n\n\n                               12 U.S.C. \xc2\xa7 1841(I) defines a \xe2\x80\x9cthrift institution\xe2\x80\x9d as: (a) a domestic\n                               building and loan or savings and loan association, (b) non-profit\nThrift Institution\n                               cooperative bank without capital stock, (c) a federal savings bank, or\n                               (d) a registered state-chartered savings bank and holding company.\n\n\n                               Generally, an unsafe or unsound practice is any action or lack of\n                               action that is contrary to generally accepted standards of prudent\nUnsafe or Unsound Practice     operation, the possible consequences of which, if continued, would\n                               be abnormal risk of loss or damage to an institution, its shareholders,\n                               or the agencies administrating the insurance funds.\n\n\n\n\n                                                23\n\x0c                                                                                   APPENDIX I\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe overall objective was to evaluate FDIC examiner use of work performed by IPAs who are\nengaged by FDIC-supervised financial institutions. In accomplishing our objective, we\nreviewed:\n\n\xe2\x80\xa2   examination policies and procedures for evaluating the work of IPAs,\n\n\xe2\x80\xa2   resolution of differences between regulators and IPAs on matters affecting safety and\n    soundness considerations, and\n\n\xe2\x80\xa2   followup on IPA findings and recommendations.\n\nTo accomplish our audit objective, the OIG interviewed DSC headquarters and Dallas, San\nFrancisco, Chicago, Memphis, Boston, and New York regional office personnel. We\ninterviewed selected examiners and supervisory examiners who worked on the examinations we\nreviewed. We also reviewed the DSC Manual of Examination Policies, FDIC Case Managers\nProcedures Manual, Regional Directors Memoranda, FDIC Financial Institution Letters, and the\nRisk Scoping Activities and Reviews of External Auditor Workpaper ED Modules to obtain an\nunderstanding of the policies and procedures that determine the scope and requirements for the\nuse of and reliance on IPA work. Additionally, we reviewed FDIC compliance with applicable\nlaws and regulations. Finally, we reviewed current news articles, proposed legislation, and other\nagency and regulator reports and related documents to gain an understanding of concerns and\nviewpoints of the regulators\xe2\x80\x99 role and responsibilities in working with IPA data and reports.\n\nWe reviewed 30 institution examination files along with the related correspondence and\nadministrative files. Initially, we judgmentally selected 33 examinations from the seven regional\noffices based on institution size and geographic location. Based on our initial results for the 30\ninstitutions reviewed, we eliminated the 3 selected institutions in the Atlanta region based on the\nconsistent facts we found in the other 6 regions. The 33 original examinations were specifically\nselected from two groups of institutions. The first selection was of institutions that had an\nexamination composite CAMELS rating of 4 or 5. Next, we selected institutions that were either\nover $500 million in asset size or were between $250 and $500 million. Of the 33 institutions\nselected, 1 institution had an examination composite CAMELS rating of 1, 19 were rated 2, 4\nwere rated 3, 7 were rated 4, and 2 were rated 5. We reviewed the DSC examination\nworkpapers, the general safety and soundness correspondence/administrative files, IPA audit\nreports, and various FDIC and state examination reports. In addition, we reviewed matters\nrelating to external auditors\xe2\x80\x99 involvement in verifying a financial institution\xe2\x80\x99s call or thrift\nfinancial report data, providing internal audit services, and retaining certain documentation\nrelated to engagements.\n\nFrom the sample of 30 exams, we also reviewed the pre-examination scope memorandum\ncomments that related to IPA audit work. This review was essential for developing an\nunderstanding of any risk-scoping or pre-examination planning activities performed by\nexaminers to risk-focus the examination based on IPA work. For all 30 examinations, we\n\n\n\n                                                24\n\x0c                                                                                APPENDIX I\n\nassessed the extent to which the examiner used the IPA data or reports and how such information\nimpacted the examination.\n\nThe limited nature of the audit objective did not require reviewing related performance measures\nunder the Government Performance and Results Act, testing for fraud or illegal acts, or\ndetermining the reliability of computer-processed data obtained from the FDIC\xe2\x80\x99s computerized\nsystems. We gained an understanding of relevant internal control activities by examining DSC\xe2\x80\x99s\napplicable policies and procedures as presented in DSC manuals, Regional Directors Memoranda,\nand Examination Documentation Modules. We decided not to test internal control activities\nbecause we concluded that the audit objective could be met more efficiently by conducting\nsubstantive tests rather than placing reliance on the internal control system.\n\nWe performed fieldwork at the Dallas, San Francisco, Chicago, Memphis, Boston, and New York\nregional offices and at 10 field offices within those regions. We reviewed examinations\nperformed during the period of January 1, 2000 through December 31, 2001. We performed our\naudit from April 2002 through January 2003, in accordance with generally accepted government\nauditing standards.\n\n\n\n\n                                              25\n\x0c                                                                                    APPENDIX II\n\n\nEXAMINER AND CASE MANAGER COMPLIANCE WITH FDIC POLICY\n\nIn our review of 30 institutions, we identified three instances where examiners and case\nmanagers did not comply with FDIC policies and procedures. First, a review of an IPA\xe2\x80\x99s\nworkpapers was not initiated timely because of examiner oversight. Second, case manager files\nand examination workpapers contained no evidence that one institution\xe2\x80\x99s Part 363 filing was\nreviewed, as a result of confusion during the institution\xe2\x80\x99s merger. Finally, in one instance,\nexaminers did not follow up on an IPA\xe2\x80\x99s management letter that explained concerns the IPA had\nabout internal controls at the bank, because of misunderstandings surrounding the institution\nchanging its IPA. As a result, examiners may not have adequately assessed potential problems\nand weak internal controls that may have existed at the three affected institutions. However, we\ndid not identify any specific negative effect in these instances.\n\nWorkpaper Reviews in Downgraded Institutions\n\nExaminers did not initiate a workpaper review timely for one of the three downgraded\ninstitutions in our sample. The examiners had overlooked scheduling a review of the IPA\xe2\x80\x99s\nworkpapers until they were notified of our visit to the field office in conjunction with this audit.\nHowever, the workpaper review was initiated before the bank\xe2\x80\x99s next scheduled examination.\n\nFDIC Regional Directors Memorandum 2000-055, Reviews of External Auditors\xe2\x80\x99 Workpapers,\nissued November 30, 2000, states that when an institution is downgraded to a 4- or 5-rating after\nan examination, arrangements should be made to review the IPA\xe2\x80\x99s workpapers (if not already\nreviewed) within 3 months of the downgrade unless the downgrade occurs within the last\n3 months of the institution\xe2\x80\x99s fiscal year. In that case, the workpaper review should be performed\non that fiscal year\xe2\x80\x99s audit within 3 months after the completion of the audit early the following\nyear.\n\nFurther, according to FDIC Regional Directors Memorandum 2000-019, Reviews of External\nAuditors\xe2\x80\x99 Workpapers, dated March 21, 2000, examiners, through the auditors\xe2\x80\x99 workpapers, can\nreview the external auditor\xe2\x80\x99s evaluation of internal controls, assessment of audit risk in the\ninstitution (including risk of material misstatement of the financial statements due to fraud),\nsignificant account balances and transactions, and other audit areas pertinent to the examination.\nA workpaper review is recommended in those circumstances where it will provide the examiner\na better understanding of one or more areas of the bank\xe2\x80\x99s operations and the bases for some of\nthe auditor\xe2\x80\x99s evaluations in those areas. Thus, a review can be another source of information\nabout the bank\xe2\x80\x99s internal control and financial reporting practices and about the work that the\nauditor has performed in specific audit areas of the bank\xe2\x80\x99s operations or activities. The review\nmay help determine the scope of the examination procedures that should be carried out. The\nreview can identify those areas where the independent public accountant performed audit work\nsufficient to enable the examination procedures in those areas to be limited, and those areas of\nhigher risk on which examination procedures should be expanded. However, the sufficiency and\nappropriateness of the external auditor\xe2\x80\x99s procedures may be different from the procedures the\nexaminer would perform during an examination. Reviewing audit workpapers may also acquaint\n\n\n\n\n                                                 26\n\x0c                                                                                   APPENDIX II\n\nan examiner assigned to an institution for the first time with what the auditor considers to be\naudit and internal control risks in that institution.\n\nExamination workpapers revealed that for one of the three downgraded institutions in our\nsample, examiners had not initiated a workpaper review as required within 3 months of the\ninstitution being downgraded. In response to notification of this audit, examiners initiated a\nreview of the IPA\'s workpapers 9 months after the previous examination. However, because the\nrating downgrade occurred within the last 3 months of the institution\xe2\x80\x99s fiscal year, examiners\nshould have performed a workpaper review within 3 months after the completion of the IPA\naudit early the following year.\n\nFDIC examiners completed their examination of the downgraded bank October 17, 2001. The\nbank\xe2\x80\x99s fiscal year ended December 31, 2001, and the IPA completed the bank\xe2\x80\x99s audit on\nFebruary 14, 2002. Accordingly, a workpaper review should have been initiated within\n3 months of February 14, 2002, or by May 14, 2002. However, examiners overlooked\nscheduling a review of the IPA\xe2\x80\x99s workpapers. The review was not initiated until June 3, 2002, in\nresponse to our visit to the field office conducting the examination. Nevertheless, the examiner\xe2\x80\x99s\nrequest to review the IPA\xe2\x80\x99s workpapers was only 3 weeks late and the workpaper review was\ninitiated before the bank\xe2\x80\x99s next scheduled examination.\n\nReview of Part 363 Filings\n\nFDIC case manager files and examiner workpapers for 1 of the 19 Part 363 institutions in our\nsample did not contain any evidence of review of required financial statements provided by a\nfinancial institution with more than $500 million in total assets. This situation occurred because\nof confusion surrounding the merger of the institution into a larger institution and the subsequent\ntransfer of files between case managers in different FDIC regional offices. As a result, we could\nnot determine whether the case managers had fulfilled their responsibility to ensure that the\ninstitution had complied with its Part 363 audit and reporting requirements. However, the bank\nhad received composite CAMELS ratings of 1 in each annual examination since 1997, and the\nbank merged into a 2-rated bank.\n\nPart 363 of the FDIC Rules and Regulations establishes audit and reporting requirements for\ninsured depository institutions with total assets of $500 million or more and their independent\npublic accountants. The reports and notifications must be submitted to the FDIC, the appropriate\nprimary federal regulatory agency, and the appropriate state banking authority.\n\nUnder Part 363, management of each institution covered by this regulation must engage a public\naccountant, prepare annual financial statements in accordance with GAAP, and produce annual\nreports. The independent public accountant engaged by the institution is responsible for auditing\nand reporting on the institution\'s financial statements in accordance with generally accepted\nauditing standards, and examining, attesting to, and reporting separately on the assertions of\nmanagement concerning the institution\'s internal control structure and procedures for financial\nreporting. Furthermore, Section 13 of the FDIC Case Managers Procedures Manual,\n\n\n\n\n                                                27\n\x0c                                                                                 APPENDIX II\n\nPart 363 - Annual Audit and Reporting Requirements, states that case managers are responsible\nfor reviewing Part 363 filings from covered and associated institutions in their caseloads.\n\nHowever, FDIC case manager files and examiner workpapers for 1 of the 19 Part 363 institutions\nin our sample did not indicate that the case manager reviewed and determined whether the\ninstitution fulfilled its audit and reporting requirements. Although examiners in the Dallas field\noffice examined the bank in question, the responsible case manager resided in the Kansas City\nregional office. The bank was then sold to a holding company within the jurisdiction of the\nFDIC\'s San Francisco regional office and is currently overseen by a case manager in the San\nFrancisco regional office. Followup with the Dallas field office and case managers in both\nregional offices determined that none of them had a copy of a Part 363 Worksheet to evidence a\ncase manager\'s review. We believe it was either lost during the transfer of files between regional\noffices or none was ever completed. As a result, we could not determine whether either of the\nFDIC case managers (1) determined whether the institution fulfilled its audit and reporting\nrequirements, (2) reviewed the institution\'s Part 363 prior year submission to see if there were\nany issues noted, and (3) reviewed the institution\xe2\x80\x99s Part 363 submission for completeness to\nensure it included all required documents.\n\nHowever, the bank in question merged with another, larger institution effective June 15, 2002.\nIn addition, the bank had received composite CAMELS ratings of 1 in each annual examination\nsince 1997.\n\nFollowup on Management Letters\n\nIn one instance in our sample, examiners did not follow up on an IPA\xe2\x80\x99s management letter that\nexplained concerns the IPA had about internal controls at the bank. This lack of followup\noccurred because of misunderstandings surrounding the institution changing its IPA. The\nFDIC\xe2\x80\x99s senior examiner could not explain specifically why examiners had not followed up on\nthe IPA\xe2\x80\x99s management letter. As a result of not following up on the management letter, possible\ninternal control weaknesses at the institution, potential problems resulting from those\nweaknesses, and bank management\'s response and actions regarding these problems may not\nhave been adequately reviewed by examiners at the subsequent examination.\n\nFDIC Regional Directors Memorandum 2000-019, Reviews of External Auditors\xe2\x80\x99 Workpapers,\ndated March 21, 2000, states that before or during each examination, examiners should obtain\nfrom management all correspondence between the external auditor and the bank. The\ncorrespondence to be reviewed includes the management letter and any other letters or\ndocuments in which any weaknesses in internal control may be discussed. The examiner should\nalso review management\xe2\x80\x99s responses and actions planned to alleviate any internal control\nweaknesses that were noted by the auditor. For any material weaknesses and reportable\nconditions identified by the auditor, the examiner should ensure that management has planned\nappropriate corrective actions and determine whether the institution has implemented the actions\nplanned to correct the deficiencies. If the examiner believes that management\xe2\x80\x99s actions are\ninadequate, the examiner should make recommendations for improvement, according to the\nRegional Directors Memorandum.\n\n\n\n                                               28\n\x0c                                                                                   APPENDIX II\n\n\n\nDuring our review of a regional case manager\xe2\x80\x99s file, we found an IPA\xe2\x80\x99s management letter that\nexplained concerns the IPA had about internal controls at the bank. The letter was addressed to the\nmanagement and audit committee of the institution. It was also forwarded to the responsible FDIC\nregional office where we found it in the case manager\xe2\x80\x99s files. However, we could not find a copy of\nthe management letter in the field office examination workpapers or any notation as to whether\nexaminers had followed up on it.\n\nFinding no evidence of followup in the examination workpapers, we asked the FDIC senior examiner\nto contact bank management to obtain a copy of management\'s response to the IPA\'s management\nletter. Bank management advised that they did not respond to the IPA\'s management letter because\nthe bank\xe2\x80\x99s audit committee had been in the process of replacing the IPA. The bank had submitted the\nrequired notice alerting federal regulators that the bank had replaced its external auditor.\n\nIn addition, the senior examiner contacted one of the examiners who worked on the subsequent\nexamination and learned that the examiners looked at the successor IPA\xe2\x80\x99s information. The\nexamination workpapers did contain evidence of the examiner\xe2\x80\x99s review of correspondence\nbetween the new external auditor and the bank. However, no followup was performed to\ndetermine whether bank management had responded to the former IPA\xe2\x80\x99s management letter.\nAccording to the senior examiner, the subsequent examination was conducted jointly with a state\nbank regulator, and a state examiner was tasked with evaluating the institution\xe2\x80\x99s external audit\nprogram. The examiner contacted did not have an explanation as to why the state\xe2\x80\x99s examiner did\nnot follow up on the former IPA\xe2\x80\x99s management letter.\n\nAlthough examiners should follow up on IPA management letters, we believe this was an isolated\ninstance, based on the results of our sample. Additionally, the institution involved received\ncomposite 1 CAMELS ratings from 1997 through 2000, and a composite 2 rating at the\nconclusion of the 2001 examination conducted by FDIC and the state agency.\n\n\n\n\n                                                29\n\x0c                                                                                         APPENDIX II\n\n\n                                                                                          APPENDIX III\n\nFederal Deposit Insurance Act Section 36 \xe2\x80\x93 Early Identification of Needed Improvements\nin Financial Management for Institutions with More than $500 Million in Total Assets\nSection       Section Title                             Summary of Provisions\n           Annual Report on      Each insured depository institution is required to submit its audited\n  36(a)    Financial Condition   financial statements to the FDIC, the appropriate federal banking\n           and Management        agency, and any appropriate state bank supervisor.\n                                 Each insured depository institution is required to prepare annual\n           Management            financial statements in accordance with generally accepted\n           Responsibility for    accounting principles. In addition, the institution must prepare a\n 36(b)     Financial             report signed by the chief executive officer and the chief accounting\n           Statements and        or financial officer of the institution that contains a statement of\n           Internal Controls     management\xe2\x80\x99s responsibilities for and assessment of its internal\n                                 controls and compliance with laws and regulations.\n           Internal Control\n                                 Requires the institution\'s independent public accountant to attest to,\n           Evaluation and\n                                 and report on, the assertions of the institution\'s management\n           Reporting\n 36(c )                          regarding internal controls. Further, the IPA\'s attestation must be\n           Requirements for\n                                 made in accordance with generally accepted standards for attestation\n           Independent Public\n                                 engagements.\n           Accountants\n                                 Requires the FDIC to prescribe regulations requiring each insured\n                                 depository institution to have an annual independent audit made of\n                                 the institution\'s financial statements by an independent public\n           Annual\n                                 accountant in accordance with generally accepted auditing standards\n           Independent Audits\n 36(d)                           and section 37 of the FDI Act. This section also requires the\n           of Financial\n                                 independent public accountant to determine and report whether the\n           Statements\n                                 financial statements of the institution are presented fairly in\n                                 accordance with generally accepted accounting principles; and to\n                                 comply with other disclosure requirements of the FDIC.\n           Detecting and\n           Reporting\n 36(e)                           Repealed.\n           Violations of Laws\n           and Regulations\n                                 Requires the scope of each report by an independent public\n           Form and Content\n                                 accountant, and the procedures followed in preparing report, to meet\n  36(f)    of Reports and\n                                 or exceed the scope and procedures required by generally accepted\n           Auditing Standards\n                                 auditing standards.\n                                 Requires each insured depository institution to have an independent\n           Improved              audit committee entirely made up of outside directors who are\n 36(g)\n           Accountability        independent of management of the institution and establishes other\n                                 new responsibilities for the committees.\n                                 Requires each institution to provide its auditor a copy of its most\n           Exchange of           recent report of condition (Call Report or Thrift Financial Report),\n 36(h)     Reports and           report of examination, and any supervisory actions. In addition, the\n           Information           institution is required to provide its audit reports to the federal\n                                 regulators and notify the federal regulators if it changes its auditor.\nSource: FDI Act Section 36.\n\n\n\n\n                                                   30\n\x0c                       APPENDIX III\n\n\n                        APPENDIX IV\nCORPORATION COMMENTS\n\n\n\n\n         31\n\x0c'